Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use gaol as the sandboxing mechanism #4

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Use gaol as the sandboxing mechanism #4

wants to merge 1 commit into from

Conversation

tarcieri
Copy link
Member

@tarcieri tarcieri commented May 18, 2019
edited
Loading

This commit signals the intent of this project to explore gaol as the mechanism by which builds are sandboxed:

https://github.com/servo/gaol

The README.md for gaol carries the following warning:

gaol is only lightly reviewed for correctness and security. It should not be considered mature or "battle-tested". Use at your own risk.

However, cursory review of gaol's source code shows it's a relatively simple cross-platform sandboxing solution which provides pure Rust wrappers for the underlying OS facilities sandboxing solutions should be leveraging.

As gaol is used by Servo, it's something the Rust team is probably already familiar with, which increases the chances of upstreaming a sandboxing solution into Cargo proper, a potential goal for this project.

@tarcieri
Use gaol as the sandboxing mechanism
ccfd1da 
This commit signals the intent of this project to explore `gaol` as the
mechanism by which builds are sandboxed.

The README.md for `gaol` carries the following warning:

> gaol is only lightly reviewed for correctness and security.
> It should not be considered mature or "battle-tested".
> Use at your own risk.

However, cursory review of gaol's source code shows it's a relatively
simple cross-platform sandboxing solution which provides pure Rust
wrappers for the underlying OS facilities sandboxing solutions should be
leveraging.

As `gaol` is used by Servo, it's something the Rust team is probably
already familiar with, which increases the chances of upstreaming a
sandboxing solution into Cargo proper, a potential goal for this
project.
@tarcieri tarcieri mentioned this pull request May 18, 2019
Open
@tarcieri
Copy link
Member Author

There are many different approaches to sandboxing this crate could potentially take. I would suggest discussion of significantly different approaches (e.g. virtual machines) happen on the Determine project goals (#3) issue, and suggest this PR focus specifically on whether or not gaol is the correct path forward here.

I will provide a quick list of pros/cons for gaol:

Pros

  • Maintained by the Servo team - already important infrastructure
  • Written in Rust
  • Decent cross-platform support
  • Decent support for OS sandboxing APIs (e.g. seccomp and namespaces on Linux)

Cons

  • Relatively immature (e.g. has not been audited or heavily attacked in the wild)
  • Hasn't seen a release in 2 years - still maintained? (lots of merged PRs at least, last one in Feb 2019)

@alex
Copy link
Member

alex commented May 18, 2019

No Windows support -- and Windows is by far the most complex OS to work on. Sadly Windows doesn't really land itself to the nice granular API that gaol exposes, and that you can get on Linux or macOS. Instead Windows has really coarse grained controls like the access token and integrity level. Even things like allowing access to some directories and restricting access to others generally requires a broker process.

Note that this may be changed/better with Windows 10s Application Container APIs, I'm not an expert in those.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tarcieri @alex